API Mode · endpoints & scripts
Find the auth bypasses before your users do.
Synthetic clients call your API with realistic and adversarial payloads. Load ceilings, edge-case input handling, and missing auth checks surface in one run.
Air-gapped sandboxAuthorized targets onlyAudit trail per run
API Mode · commit a3f92c1
5,000 personas
Health score
95/100
Throughput
18k rps
Edge cases
142 found
→ /v1/refund accepts negative amounts
→ rate limit absent on /search?q=*
→ webhook retries cause duplicate writes
✓ no public requests · sandbox destroyed
What API Mode finds
The bugs your existing tests can't see.
Unit and integration tests prove a single flow works. Oracle Bot proves a population of users doesn't break it.
- Auth bypasses and missing permission checks
- Malformed input that crashes endpoints
- Rate-limit cliffs where degradation hits
- N+1 query bottlenecks under realistic load
- Race conditions in stateful endpoints
Scenario library
Pre-built scenarios. Or roll your own.
Pick from api mode scenarios tuned to your workload, or compose a custom mix of personas, intents, and intensities.
Load profile
5k clients sustained for 30 minutes
Adversarial payloads
1k clients send fuzzed + malformed input
Auth probe
500 clients test access controls + token edge cases
Spike + recovery
10x burst then back to baseline
Who it's for
API Mode is built for the people shipping right now.
- → Backend developers shipping public APIs
- → API product owners launching new endpoints
- → Teams pre-launch on a payment, auth, or webhook service
The full platform